Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test PR for dotnet-analyzers-action #20

Draft
wants to merge 35 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from 26 commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
faf588d
Initial sources
mavasani Jan 21, 2021
1437956
Changes
mavasani Jan 22, 2021
6440106
Changes
mavasani Jan 22, 2021
d31074a
Update action.ts
mavasani Jan 22, 2021
e586115
Merge pull request #2 from mavasani/mavasani-patch-2
mavasani Jan 22, 2021
c172fe7
Update action.ts
mavasani Jan 22, 2021
e8c2e5b
Merge pull request #3 from mavasani/mavasani-patch-1
mavasani Jan 22, 2021
729f84a
Update on-push-verification.yml
mavasani Jan 22, 2021
eaaa72f
Update action.ts
mavasani Jan 22, 2021
7c1e8c4
Changes
mavasani Jan 22, 2021
17ffd85
Fixes
mavasani Jan 22, 2021
ae05100
Fixes
mavasani Jan 22, 2021
e2e7a99
Fixes
mavasani Jan 22, 2021
8e809b3
Fixes
mavasani Jan 22, 2021
b4f4180
Update on-push-verification.yml
mavasani Jan 22, 2021
f79a17b
Update sample-workflow-windows-latest.yml
mavasani Jan 22, 2021
3d903e8
Update sample-workflow-ubuntu-latest.yml
mavasani Jan 22, 2021
abb3b28
Fixes
mavasani Jan 22, 2021
6ccf8b3
Merge branch 'main' of https://github.com/mavasani/dotnet-analyzers-a…
mavasani Jan 22, 2021
f18384b
Sample
mavasani Jan 22, 2021
5b5d04d
Fixes
mavasani Jan 23, 2021
98647a5
Fixes
mavasani Jan 23, 2021
b7cc458
Fixes
mavasani Jan 23, 2021
4f3b742
Temp config
mavasani Jan 23, 2021
8519309
Fixes
mavasani Jan 23, 2021
c2e5731
Update src/action.ts
mavasani Jan 25, 2021
acf4b2b
Merge branch 'main' into dotnet-analyzers
mavasani Feb 5, 2021
a5b8536
Update .github/workflows/on-push-verification.yml
mavasani Feb 5, 2021
aae06f9
Update .github/workflows/on-push-verification.yml
mavasani Feb 5, 2021
3bce568
Update .github/workflows/on-push-verification.yml
mavasani Feb 6, 2021
034fca2
Try fix
mavasani Feb 6, 2021
d43114b
Merge branch 'dotnet-analyzers' of https://github.com/mavasani/ossar-…
mavasani Feb 6, 2021
8dfd6b5
Update .github/workflows/on-push-verification.yml
mavasani Feb 6, 2021
540902a
Update .github/workflows/on-push-verification.yml
mavasani Feb 6, 2021
9cf7b9f
Update .github/workflows/on-push-verification.yml
mavasani Feb 6, 2021
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 8 additions & 12 deletions .github/workflows/on-push-verification.yml
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
# sample-workflow-windows-latest
# docs are in the repo

name: OSSAR on-push-verification windows-latest
name: .NET Analyzers on-push-verification windows-latest
on: push

jobs:
sample:
name: Open Source Static Analysis Runner
name: .NET Analyzers runner

# OSSAR runs on windows-latest.
# .NET Analyzers runs on windows-latest.
# ubuntu-latest and macos-latest supporting coming soon
runs-on: windows-latest
mavasani marked this conversation as resolved.
Show resolved Hide resolved

Expand All @@ -18,21 +18,17 @@ jobs:
- uses: actions/checkout@v2

# Ensure a compatible version of dotnet is installed.
# The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
# The [Microsoft Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
# A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action.
# Remote agents already have a compatible version of dotnet installed and this step may be skipped.
# For local agents, ensure dotnet version 3.1.201 or later is installed by including this action:
# - uses: actions/setup-dotnet@v1
# with:
# dotnet-version: '3.1.x'

# Run open source static analysis tools
- name: Run OSSAR
# Run .NET Analyzers
- name: Run .NET Analyzers
uses: ./
id: ossar

# Upload results to the Security tab
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if we want to upload results from .NET analyzers run to security tab or not, as the analyzers are not restricted to just security analyzers. Will have to talk with @mikadumont to decide

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GitHub would prefer if only security results were in the tab, as noise will make people not pay attention to critical issues. Should likely remove this for now. There may be a way to selectively export security-only rules with Guardian and a policy, although I am unfamiliar if we have that capability now.

- name: Upload results to Security tab
uses: github/codeql-action/upload-sarif@v1
id: dotnet-analyzers
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
projects: ./samples/ClassLibrary1.sln
mavasani marked this conversation as resolved.
Show resolved Hide resolved
22 changes: 8 additions & 14 deletions .github/workflows/sample-workflow-ubuntu-latest.yml
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
# sample-workflow-ubuntu-latest
# docs are in the repo

name: OSSAR ubuntu-latest
name: .NET Analyzers ubuntu-latest
on:
push:
branches:
- master
- main

jobs:
sample:
name: Open Source Static Analysis Runner
name: .NET Analyzers runner

# OSSAR runs on windows-latest.
# .NET Analyzers runs on windows-latest.
# ubuntu-latest and macos-latest supporting coming soon
runs-on: ubuntu-latest

Expand All @@ -21,7 +21,7 @@ jobs:
- uses: actions/checkout@v2

# Ensure a compatible version of dotnet is installed.
# The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
# The [Microsoft Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
# A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action.
# GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
# For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
Expand All @@ -30,12 +30,6 @@ jobs:
# dotnet-version: '3.1.x'

# Run open source static analysis tools
- name: Run OSSAR
uses: github/ossar-action@v1
id: ossar

# Upload results to the Security tab
- name: Upload results to Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
- name: Run .NET Analyzers
uses: github/dotnet-analyzers-action@v1
id: dotnet-analyzers
24 changes: 9 additions & 15 deletions .github/workflows/sample-workflow-windows-latest.yml
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
# sample-workflow-windows-latest
# docs are in the repo

name: OSSAR windows-latest
name: .NET Analyzers windows-latest
on:
push:
branches:
- master
- main

jobs:
sample:
name: Open Source Static Analysis Runner
name: .NET Analyzers runner

# OSSAR runs on windows-latest.
# .NET Analyzers runs on windows-latest.
# ubuntu-latest and macos-latest supporting coming soon
runs-on: windows-latest

Expand All @@ -21,21 +21,15 @@ jobs:
- uses: actions/checkout@v2

# Ensure a compatible version of dotnet is installed.
# The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
# The [Microsoft Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
# A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action.
# GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
# For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
# - uses: actions/setup-dotnet@v1
# with:
# dotnet-version: '3.1.x'

# Run open source static analysis tools
- name: Run OSSAR
uses: github/ossar-action@v1
id: ossar

# Upload results to the Security tab
- name: Upload results to Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
# Run .NET Analyzers
- name: Run .NET Analyzers
uses: github/dotnet-analyzers-action@v1
Copy link
Author

@mavasani mavasani Jan 25, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will likely be the new repo URL, but have to confirm with @mikadumont

Copy link

@mikadumont mikadumont Feb 6, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldnt it be called code-analysis?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, I will fix it up in the cloned repo.

id: dotnet-analyzers
4 changes: 2 additions & 2 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
## Contributing

[fork]: https://github.com/github/ossar-action/fork
[pr]: https://github.com/github/ossar-action/compare
[fork]: https://github.com/github/dotnet-analyzers-action/fork
[pr]: https://github.com/github/dotnet-analyzers-action/compare
[code-of-conduct]: CODE_OF_CONDUCT.md

Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
Expand Down
56 changes: 15 additions & 41 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,23 +1,20 @@
# github/ossar-action
# github/dotnet-analyzers-action

![OSSAR windows-latest](https://github.com/github/ossar-action/workflows/OSSAR%20windows-latest/badge.svg)
![OSSAR ubuntu-latest](https://github.com/github/ossar-action/workflows/OSSAR%20ubuntu-latest/badge.svg)
![.NET Analyzers windows-latest](https://github.com/github/dotnet-analyzers-action/workflows/.NET%20Analyzers%20windows-latest/badge.svg)
![.NET Analyzers ubuntu-latest](https://github.com/github/dotnet-analyzers-action/workflows/.NET%20Analyzers%20ubuntu-latest/badge.svg)

Run open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).
Run [.NET code quality and code style analyzers](https://docs.microsoft.com/dotnet/fundamentals/code-analysis/overview) that ship with the .NET SDK.

# Limitations

The OSSAR action is currently in beta and runs on the `windows-latest` queue, as well as Windows self hosted agents. `ubuntu-latest` support coming soon.
The .NET Analyzers action is currently in beta and runs on the `windows-latest` queue, as well as Windows self hosted agents. `ubuntu-latest` support coming soon.

# Overview

This action runs the [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) for security analysis by:
This action runs the [Code Analysis CLI](https://aka.ms/mscadocs) for .NET code quality and code style analysis by:

* Installing the Microsoft Security Code Analysis CLI
* Installing the latest policy or referencing the local `policy/github.gdnpolicy` file
* Installing the latest open source tools
* Automatic or user-provided configuration of static analysis tools
* Execution of a full suite of static analysis tools
* Installing the Code Analysis CLI
* Execution of [.NET code quality and code style analyzers](https://docs.microsoft.com/dotnet/fundamentals/code-analysis/overview) that ship with the .NET SDK
* Normalized processing of results into the SARIF format
* Exports a single SARIF file which can be uploaded via the `github/codeql-action/upload-sarif` action

Expand All @@ -27,54 +24,31 @@ See [action.yml](action.yml)

## Basic

Run OSSAR with the default policy and recommended tools.
Run [.NET code quality and code style analyzers](https://docs.microsoft.com/dotnet/fundamentals/code-analysis/overview) that ship with the .NET SDK.

```yaml
steps:
- uses: actions/checkout@v2
- name: Run OSSAR
uses: github/ossar-action@v1
id: ossar
- name: Upload results to Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
- name: Run .NET code quality and code style analyzers
uses: github/dotnet-analyzers-action@v1
id: dotnet-analyzers
```

**Note:** The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. A version greater than or equal to v3.1.201 of dotnet must be installed on the runner in order to run this action. GitHub hosted runners already have a compatible version of dotnet installed. To ensure a compatible version of dotnet is installed on a self-hosted runner, please configure the [actions/setup-dotnet](https://github.com/actions/setup-dotnet) action.
**Note:** The [Microsoft Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. A version greater than or equal to v3.1.201 of dotnet must be installed on the runner in order to run this action. GitHub hosted runners already have a compatible version of dotnet installed. To ensure a compatible version of dotnet is installed on a self-hosted runner, please configure the [actions/setup-dotnet](https://github.com/actions/setup-dotnet) action.

```
- uses: actions/setup-dotnet@v1
with:
dotnet-version: '3.1.x'
```

## Upload Results to the Security tab

To upload results to the Security tab of your repo, run the `github/codeql-action/upload-sarif` action immediately after running OSSAR. OSSAR sets the action output variable `sarifFile` to the path of a single SARIF file that can be uploaded to this API.

```yaml
- name: Upload results to Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
```

# Open Source Tools

| Name | Language |
| --- | --- |
| [Bandit](https://github.com/PyCQA/bandit) | python |
| [BinSkim](https://github.com/Microsoft/binskim) | binary - Windows, ELF |
| [ESlint](https://github.com/eslint/eslint) | JavaScript |

# More Information

Please see the [wiki tab](https://github.com/github/ossar-action/wiki) for more information and the [Frequently Asked Questions (FAQ)](https://github.com/github/ossar-action/wiki/FAQ) page.
Please see the [wiki tab](https://github.com/github/dotnet-analyzers-action/wiki) for more information and the [Frequently Asked Questions (FAQ)](https://github.com/github/dotnet-analyzers-action/wiki/FAQ) page.

# Report Issues

Please [file a GitHub issue](https://github.com/github/ossar-action/issues/new) in this repo. To help us investigate the issue, please include a description of the problem, a link to your workflow run (if public), and/or logs from the OSSAR's action output.
Please [file a GitHub issue](https://github.com/github/dotnet-analyzers-action/issues/new) in this repo. To help us investigate the issue, please include a description of the problem, a link to your workflow run (if public), and/or logs from the .NET Analyzers's action output.

# License

Expand Down
39 changes: 0 additions & 39 deletions SECURITY.md

This file was deleted.

64 changes: 54 additions & 10 deletions action.yml
Original file line number Diff line number Diff line change
@@ -1,17 +1,61 @@
name: 'ossar-action'
description: 'Run open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner)'
name: 'dotnet-analyzers-action'
description: 'Run .NET code quality and code style analyzers shipping with .NET SDK'
author: 'GitHub'
branding:
icon: 'shield'
color: 'black'
inputs:
config:
description: A file path to a .gdnconfig file.
policy:
description: The name of the well known policy to use. If empty, defaults to the policy/github.gdnpolicy file in the action repo.
projects:
description: 'Semi-colon separated list of projects or solutions to analyze'
required: true
analysis-level: # AnalysisLevel: https://docs.microsoft.com/dotnet/core/project-sdk/msbuild-props#analysislevel
description: 'Default analysis level for all rules'
required: false
default: 'latest-minimum'
style: # AnalysisLevelStyle: https://docs.microsoft.com/dotnet/core/project-sdk/msbuild-props#analysislevel
description: 'Overridden analysis level for code style rules: https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/style-rules/'
required: false
default: 'latest-minimum'
design: # AnalysisLevelDesign: https://docs.microsoft.com/dotnet/core/project-sdk/msbuild-props#analysislevel
description: 'Overridden analysis level for sesign rules: https://docs.microsoft.com/dotnet/fundamentals/code-analysis/quality-rules/design-warnings'
required: false
default: 'latest-minimum'
documentation: # AnalysisLevelDocumentation: https://docs.microsoft.com/dotnet/core/project-sdk/msbuild-props#analysislevel
description: 'Overridden analysis level for documentation rules: https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/documentation-warnings'
required: false
default: 'latest-minimum'
globalization: # AnalysisLevelGlobalization: https://docs.microsoft.com/dotnet/core/project-sdk/msbuild-props#analysislevel
description: 'Overridden analysis level for globalization rules: https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/globalization-warnings'
required: false
default: 'latest-minimum'
interoperability: # AnalysisLevelInteroperability: https://docs.microsoft.com/dotnet/core/project-sdk/msbuild-props#analysislevel
description: 'Overridden analysis level for portability and interoperability rules: https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/interoperability-warnings'
required: false
default: 'latest-minimum'
maintainability: # AnalysisLevelMaintainability: https://docs.microsoft.com/dotnet/core/project-sdk/msbuild-props#analysislevel
description: 'Overridden analysis level for maintainability rules: https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/maintainability-warnings'
required: false
default: 'latest-minimum'
naming: # AnalysisLevelNaming: https://docs.microsoft.com/dotnet/core/project-sdk/msbuild-props#analysislevel
description: 'Overridden analysis level for naming rules: https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/naming-warnings'
required: false
default: 'latest-minimum'
performance: # AnalysisLevelPerformance: https://docs.microsoft.com/dotnet/core/project-sdk/msbuild-props#analysislevel
description: 'Overridden analysis level for performance rules: https://docs.microsoft.com/dotnet/fundamentals/code-analysis/quality-rules/performance-warnings'
required: false
default: 'latest-minimum'
reliability: # AnalysisLevelReliability: https://docs.microsoft.com/dotnet/core/project-sdk/msbuild-props#analysislevel
description: 'Overridden analysis level for reliability rules: https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/reliability-warnings'
required: false
default: 'latest-minimum'
security: # AnalysisLevelSecurity: https://docs.microsoft.com/dotnet/core/project-sdk/msbuild-props#analysislevel
description: 'Overridden analysis level for security rules https://docs.microsoft.com/dotnet/fundamentals/code-analysis/quality-rules/security-warnings'
required: false
default: 'latest-minimum'
usage: # AnalysisLevelPerformance: https://docs.microsoft.com/dotnet/core/project-sdk/msbuild-props#analysislevel
description: 'Overridden analysis level for usage rules: https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/usage-warnings'
required: false
default: 'latest-minimum'
outputs:
sarifFile:
description: A file path to a SARIF results file.
description: A file path to a SARIF file with analysis results.
runs:
using: 'node12'
main: 'lib/action.js'
2 changes: 1 addition & 1 deletion build.proj
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@

<PropertyGroup Label="TypeScript">
<TypeScriptCompileBlocked Condition=" '$(TypeScriptCompileBlocked)' == '' ">false</TypeScriptCompileBlocked>
<TypeScriptToolsVersion Condition=" '$(TypeScriptToolsVersion)' == '' ">3.8</TypeScriptToolsVersion>
<TypeScriptToolsVersion Condition=" '$(TypeScriptToolsVersion)' == '' ">4.1</TypeScriptToolsVersion>
<TypeScriptConfigFileName Condition=" '$(TypeScriptConfigFileName)' == '' ">tsconfig.json</TypeScriptConfigFileName>
<TypeScriptConfigFilePath>$(MSBuildProjectDirectory)/$(TypeScriptConfigFileName)</TypeScriptConfigFilePath>
<TscYieldDuringToolExecution>false</TscYieldDuringToolExecution>
Expand Down
Loading